[Infowarrior] - ISP snooping gaining support

Fri Apr 14 09:27:37 EDT 2006

ISP snooping gaining support

By Declan McCullagh
http://news.com.com/ISP+snooping+gaining+support/2100-1028_3-6061187.html

Story last modified Fri Apr 14 05:51:22 PDT 2006

The explosive idea of forcing Internet providers to record their customers'
online activities for future police access is gaining ground in state
capitols and in Washington, D.C.

Top Bush administration officials have endorsed the concept, and some
members of the U.S. Congress have said federal legislation is needed to aid
law enforcement investigations into child pornography. A bill is already
pending in the Colorado State Senate.

Mandatory data retention requirements worry privacy advocates because they
permit police to obtain records of e-mail chatter, Web browsing or chat-room
activity that normally would have been discarded after a few months. And
some proposals would require providers to retain data that ordinarily never
would have been kept at all.

CNET News.com was the first to report last June that the U.S. Department of
Justice was quietly shopping around the idea of legally required data
retention. But it was the European Parliament's vote in December for a data
retention requirement that seems to have attracted broader interest inside
the United States.

At a hearing last week, Rep. Ed Whitfield, a Kentucky Republican who heads a
House oversight and investigations subcommittee, suggested that data
retention laws would be useful to police investigating crimes against
children.

"I absolutely think that that is an idea that is worth pursuing," an aide to
Whitfield said in an interview on Thursday. "If those files were retained
for a longer period of time, it would help in the uncovering and prosecution
of these crimes." Another hearing is planned for April 27.

Internet providers generally offer three reasons why they are skeptical of
mandatory data retention: first, it is not clear who will be able to access
records of someone's online behavior; second, it's not clear who will pay
for the data warehouses to be constructed; and third, it's not clear that
police are hindered by current law as long as they move swiftly in
investigations.

"What we haven't seen is any evidence where the data would have been
helpful, where the problem was not caused by law enforcement taking too long
when they knew a problem existed," said Dave McClure, president of the U.S.
Internet Industry Association, which represents small to midsize companies.

McClure said that while data retention aficionados cite child pornography,
the stored data would be open to any type of investigation--including, for
instance, those focused on drug crimes, tax fraud, or terrorism
prosecutions. "The agenda behind this doesn't appear to be legitimate," he
said.

Proposals for mandatory data retention tend to adhere to one of two models:
Address storage or some kind of content storage. In the first model,
businesses must record only which Internet address is assigned to a customer
at a specific time. In the second, which is closer to what Europe adopted,
more types of information must be retained--including telephone numbers
dialed, contents of Web pages visited, recipients of e-mail messages and so
on.

Without saying what model he favored, Homeland Security Secretary Michael
Chertoff broadly endorsed data retention at a meeting of a departmental
privacy panel last month. In response to a question, Chertoff said that
federal police should be permitted to run queries against data repositories
created and maintained by businesses for a set time.

"That might be a model for some kind of data retention issue," Chertoff
said. "It might be one that would say the government, instead of holding the
data itself, will allow it to remain in the private sector, provided the
private sector retains it for a period of time so we can ping against it."

FBI Director Robert Mueller was more blunt. He was quoted by the Financial
Times in January as saying: "There can be standardized regulations and rules
relating to data retention and secondly a mechanism for the swift exchange
of information." The remarks, made at the Davos economic forum, were part of
Mueller's support of harmonizing national laws dealing with computer crime.

Neither the FBI nor Homeland Security responded to a request for comment on
Thursday.

Agitation by state investigators
Federal politicians also are being lobbied by state law enforcement
agencies, which say strict data retention laws will help them investigate
crimes that have taken place a while ago.

Sgt. Frank Kardasz, head of Arizona's Internet Crimes Against Children Task
Force, surveyed his colleagues in other states last month asking them what
new law would help them do their jobs. "The most frequent response involved
data retention by Internet service providers," or ISPs, Kardasz told
News.com in an e-mail message on Thursday.

Because Internet addresses remain a relatively scarce commodity, ISPs tend
to allocate them to customers from a pool based on when the connection is
actually in use. (Two standard techniques used are the Dynamic Host
Configuration Protocol and Point-to-Point Protocol over Ethernet.)

Police typically rely on subpoenas to find which customer was assigned which
Internet address. "When subscriber information is not preserved by the ISPs
the investigation dead-ends," said Kardaz, who has testified before
Whitfield's subcommittee. "Ideally, we would like to have ISPs preserve
subscriber information for one year."

Flint Waters, head of the Wyoming's Internet Crimes Against Children task
force, also is pressing for federal data retention laws. He's interested in
mandating records of who used what Internet address--not content such as
chat conversations, e-mail messages, and so on.

"Individuals will activate their Webcam when they're abusing a child and
they'll record the sexual assault live, and it may be 45 days before law
enforcement finally gets notified," Waters said. "We reach out to service
providers and they say they don't maintain those records, so the child
remains in that environment, and there's nothing we can do to help them."
Waters said that Comcast was unable to help police in an investigation
dealing with the rape of a 2-year-old child because logs are routinely
deleted as is standard business practice. "We'd like to see one year
minimum" for data retention, Waters said. "Two years would be even better."

Comcast did not take a position on data retention laws when asked on
Thursday. But Jeanne Russo, a Comcast spokeswoman, said: "Comcast is
horrified by any act of violence inflicted upon a child and takes this issue
very seriously. Comcast promptly processes and responds to valid legal and
law enforcement requests according to law and as described in our applicable
privacy policy."

Colorado's legislature is considering an amendment (click here for PDF) to a
bill dealing with sex offenders.

The amendment, sponsored by state Sen. Ron Tupa, a Democrat, requires
Internet providers to "maintain, for at least 180 days after assignment, a
record of the Internet protocol address" assigned to each customer.
Violations can be punished by fines of up to $10,000 per incident.

"Preservation" vs. "Retention"
At the moment, Internet service providers typically discard any log file
that's no longer required for business reasons such as network monitoring,
fraud prevention or billing disputes. Companies do, however, alter that
general rule when contacted by police performing an investigation--a
practice called data preservation.

A 1996 federal law called the Electronic Communication Transactional Records
Act regulates data preservation. It requires Internet providers to retain
any "record" in their possession for 90 days "upon the request of a
governmental entity."

In addition, Internet providers are required by another federal law to
report child pornography sightings to the National Center for Missing and
Exploited Children, which is in turn charged with forwarding that report to
the appropriate police agency.

That pair of laws--coupled with Internet providers' willingness to cooperate
when a child is being harmed--has created a system that works today, says
Kate Dean, director of the U.S. Internet Service Provider Association.

"Law enforcement has not demonstrated that the absence of mandatory data
retention is detrimental to the public interest," said Dean, whose board
members include representatives of AOL, Verizon, BellSouth and EarthLink.

Dean said she's not sure whether U.S. data retention proposals being
discussed are likely to mandate mere address recording or also require the
storage of the contents of e-mail messages and Web pages visited. A
representative of one large Internet provider who did not want to be quoted
expressed concern that content could be swept up into legislation--and cited
the privacy and security risks of having such a massive data warehouse
available.

Michigan Rep. Bart Stupak, who's the senior Democrat on the House oversight
and investigations subcommittee, expressed skepticism about forcible data
retention requirements in an interview on Thursday. He said he would not "be
in a rush to support" data retention requirements and would rather see the
private sector come up with a better solution.

"I'm against this child porn stuff, but at the same time, let's not further
erode the rights of the American people," Stupak said. "That's what I'll be
looking for. I'll be looking at (proposed laws) with a very close,
constitutional eye as to the validity of the proposals... and I'd like to
hear from private industry what they can do."

The European precedent
One question is how closely U.S. proposals will follow those that Europe
already has adopted. In December, the European Parliament approved a
U.K.-backed requirement saying that communications providers in its 25
member countries--several of which had enacted their own data retention laws
already--must retain customer data for a minimum of six months and a maximum
of two years.

The Europe-wide requirement applies to a wide variety of "traffic" and
"location" data, including the identities of the customers' correspondents;
the date, time, and duration of phone calls, voice over Internet Protocol
calls, or e-mail messages; and the location of the device used for the
communications. But the "content" of the communications is not supposed to
be retained. The rules are expected to take effect in 2008.

According to a memo accompanying the proposed rules (click here for PDF),
European politicians approved the rules because not all operators of
Internet and communications services were storing information about
citizens' activities to the extent necessary for law enforcement and
national security.

"These developments are making it much harder for public authorities to
fulfill their duties in preventing and combating organised crime and
terrorism, and easier for criminals to communicate with each other without
the fear that their communications data can be used by law enforcement
authorities to thwart them," the memo said.

Some U.S. companies are so alarmed by this requirement that they've talked
about scaling back their operations in Ireland, which boasts some of the
region's most aggressive data retention laws. Joe Macri, managing director
of Microsoft Ireland, told the Irish Times last month: "Irish legislation is
going beyond what is required from an EU perspective and is going to put
significant additional costs on businesses...While we respect and understand
the needs and concerns of the law enforcement agencies, there is also a need
to take personal privacy concerns and the broader needs of business into
consideration."

Jim Harper, director of information policy studies at the free-market Cato
Institute, was the member of the Homeland Security's Data Privacy and
Integrity Advisory Committee who asked Chertoff about data retention last
month.

In an interview this week, Harper warned that mandatory data retention may
cause more harm than good. "The true criminals will go and use random Wi-Fi
nodes where you can get anonymous access," he said. "You haven't done
anything but increase surveillance of law-abiding citizens."

CNET News.com's Anne Broache contributed to this report.